• No results found

LDAP Synchronization Agent Configuration Guide

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LDAP Synchronization Agent Configuration Guide"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Authentication Service Delivery Made EASY™

LDAP Synchronization Agent

Configuration Guide

(2)

2

Copyright © 2013 SafeNet, Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.

SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.

Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.

Support

SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs.

To contact SafeNet Authentication Service support directly:

Europe / EMEA North America

(3)

3 2013.07.18 Correct# the Environment table;

Update screenshots for SAS

4.1

2013.06.27 Minor text changes 4.0

2012.06.30 Update for SafeNet branding;

Remove CRYPTOCard / BlackShield branding

3.0

2011.05.09 Minor updates 2.0

(4)

4

Contents

Applicability... 5 Environment ... 6 Overview ... 6 Features ... 8

Preparation and Prerequisites ... 9

Configuring the Agent ... 10

Sync Agent Configuration Tool ... 14

Status Tab... 14

LDAP Configuration Group ... 14

LDAP Sync Groups ... 14

Last Sync Status Group ... 14

Transaction Details Group ... 15

Configuration Tab ... 16

LDAP Configuration Group ... 17

LDAP Sync Group(s) ... 19

LDAP Schema Configuration ... 20

Other Synchronization Options... 20

Mobile Number Country Code ... 20

LDAP Scan Interval ... 20

SafeNet Authentication Service Synchronization Server ... 20

Re-initialize Source ... 21

Notification Tab ... 21

SMTP Configuration ... 21

E-Mail Test ... 21

(5)

Applicability 5

Applicability

The information in this document applies to: • SafeNet Authentication Service (SAS)

A cloud authentication service of SafeNet Inc.

• SafeNet Authentication Service – Service Provider Edition (SAS-SPE) The software used to build a SafeNet authentication service.

• SafeNet Authentication Service – Private Cloud Edition (SAS-PCE) A term used to describe the implementation of SAS-SPE on-premise.

(6)

Environment 6

Environment

Summary

Supported Platforms Windows XP SP 3

Windows 2003 R2 Server

Windows 2008 SP2 and Windows 2008 R2 Windows Vista SP2

Windows 7 Windows 8

Windows Server 2012

Supported Architecture 32-bit

64-bit

Additional Software Components Windows: .Net 2.0

Network Port TCP Port 8456

TCP Port 389

TCP Port 636 (optional) Support LDAP Directory Servers Active Directory

Sun One 6.x

Novell eDirectory 8.x

LDAP Directory Server Access Read-only

Supported LDAP Groups Single LDAP Group

Multiple LDAP Groups

Overview

(7)

Overview 7 1. Organization imports their agent key file into the LDAP Synchronization Agent, configures a

connection to their LDAP Directory Server then selects one or more LDAP groups.

2. The LDAP Synchronization Agent queries the LDAP Directory server for all users within the selected LDAP Group(s).

3. For each member of the group: The first name, last name, username, email address, address, phone, mobile and all LDAP groups are transmitted and stored in the LDAP Synchronization Agent.

4. The LDAP Synchronization Agent pushes all user and group information to the SafeNet Authentication Service which in turn creates each user and group in the Virtual Server. 5. The LDAP Synchronization Agent queries the LDAP Directory server every 30 minutes (default

synchronization period) and compares user and LDAP group information stored within its persistent cache.

(8)

Features 8

Features

Most organizations maintain information about their users in an LDAP directory such as Active Directory. The purpose of the Synchronization Agent is to auto-populate SafeNet Authentication Service with users maintained in one of these user sources.

Key features of the agent are:

• Can be used with almost any LDAP Directory Server. • Can accommodate custom schemas.

• Does not write to the user source.

• Does not require an administrator account to connect to the user source. • Can synchronize multiple user sources (e.g. multiple LDAPs).

• Uses AES encryption between the LDAP Synchronization Agent and the SafeNet Authentication Service.

(9)

Preparation and Prerequisites 9

Preparation and Prerequisites

1. From the COMMS tab of your virtual server, select Authentication Processing > LDAP Sync Agent Settings.

2. Click the Download button to download the Synchronization Agent Key File

(BSIDSyncConfigFile.bmc). This file will be required during configuration of the LDAP Sync Agent.

3. Download the LDAP Sync Agent installation package. A link to the Agents and other software can be found on the Snapshot Tab in the References Module.

(10)

Configuring the Agent 10 4. The following information will be required to complete the configuration of the agent after

installation:

• The IP address/host name and port number of your LDAP Directory Server.

• An account name and password that can be used by the LDAP Synchronization Agent to connect to the LDAP Directory Server. This account password should be set to never expire to ensure the Agent is always able to connect to LDAP. The user account does not need write capability as the agent only reads from the directory.

• TCP Port 389 or 636 open between the LDAP Synchronization Agent and the LDAP Directory Server.

• TCP Port 8456 open between the LDAP Synchronization Agent and SafeNet Authentication Service.

5. Install the agent using the instructions provided by the installer. All configuration is performed post installation.

Configuring the Agent

From an Administrator account, launch the Agent from Start > SafeNet > Agents > SAS Sync Agent. Use “Run as administrator” if necessary.

In the Current Organization section, click the Add button. Browse to the location of the

BSIDSyncConfigFile.bmc and load the file.

(11)

Configuring the Agent 11 In the LDAP Configuration section click the Configure

button.

Enter the host name or IP address and port number of the LDAP Directory server. Select SSL if you have a certificate installed on the server.

If you have one or more failover LDAP directory servers that the agent should connect to in the event that the primary cannot be reached, indicate this by selecting a corresponding number from the Number of Failover hosts dropdown.

Click Next to continue.

Select a schema from the dropdown list. Possible default values are Active Directory, eDirectory, SunOne directory

Enter a User DN and password created for the agent. The User DN contains the username (and location of the user within LDAP) that will be used by the agent to connect to the LDAP Directory Server. If using Active Directory, this value should be entered in an email format.

Example:

The BaseDN in the figure is dc=ts, DC=cryptocard, DC=com. So the user should be defined as username@ts.cryptocard.com.

(12)

Configuring the Agent 12 The agent will automatically find all containers with

users, starting from the BaseDN. You can exclude containers or add containers by checking the manually edit option.

The next step is to configure the LDAP group

memberships which are used to determine which

users are synchronized. In other words, containers determine where to look for users while group membership determines which users in a container will be synchronized.

Use the arrow buttons to add or remove highlighted Available Groups to/from Synchronized Groups. Click Configure in the Other Synchronization Options group.

If required, modify the LDAP Scan Interval.

Select the Notification Tab. In SMTP Configuration select Configure.

Enter a from Email address, the Hostname/IP

address of the SMTP server, port number and if

required, the user name and password credentials to log onto the SMTP server.

(13)

Configuring the Agent 13 Enter one or more valid email addresses to the

recipient email list and set the event.

(14)

Sync Agent Configuration Tool 14

Sync Agent Configuration Tool

The SAS Sync Agent configuration tool allows for the modification of various features available within the agent.

Status Tab

The Status tab deals primarily with supplying information on LDAP Sync Groups and their transaction details.

LDAP Configuration Group

• LDAP Connection Status

Displays the current connection status between the agent and the LDAP Directory server. • LDAP Configuration info

Displays the connection information for the LDAP Server. This dialog does not display any password information.

LDAP Sync Groups

Lists all LDAP Groups configured to synchronize against the SafeNet Authentication Service.

Last Sync Status Group

• Last Sync Time

(15)

Sync Agent Configuration Tool 15 Displays the amount of time required to scan all groups to retrieve user information.

• # of Unique Objects

Displays the amount of LDAP objects discovered during the last scheduled scan. • # of Differences

Displays the amount of LDAP objects differences between the local persistent cache and the LDAP Directory server during the last scheduled scan.

• Sent Transactions

Displays the amount of updates sent to the SafeNet Authentication Service. • Total Users Sync’d

Displays the amount of users currently synchronized with the SafeNet Authentication Service.

Transaction Details Group

• Transaction ID

Displays the number of the current transaction record. • Status

Displays the status of the transaction. • Scan Started

Displays the start date and time of an LDAP Directory server scan. • Scan Ended

Displays the end date and time of an LDAP Directory server scan. • Sent to MAS

Displays the date and time the transaction was delivered to SafeNet Authentication Service. • Updated Objects

Displays the amount of new users and/or groups discovered during the last scheduled scan. • Total Differences

The amount of differences discovered within users and/or groups. • Refresh

Amount of time before transaction details will be updated. • Save As

(16)

Sync Agent Configuration Tool 16 • Clear

Permanently deletes all transaction details.

Configuration Tab

(17)

Sync Agent Configuration Tool 17

LDAP Configuration Group

This section is used to configure the connection between the agent and the LDAP Directory server.

• Host name or IP

Specifies the location of the LDAP server. • Port

By default TCP port 389 is used. If required, the Active Directory Global Catalog (TCP port 3268) may be used.

• Use SSL

If the LDAP server has been configured to use a certificate this option may be select. If the option is selected change the Port value to 636.

• Number of Failover

(18)

Sync Agent Configuration Tool 18

LDAP Schema

Includes default LDAP schema support for Active Directory (2003/2008), eDirectory 8.x and Sun One 6.x.

Additional schemas may appear if configured under LDAP Schema Configuration.

LDAP Credentials

• User DN

If using Active Directory, the value should be entered in an email format.

Example: The BaseDN in the figure is dc=ts, DC=cryptocard, DC=com. So username “ccldap” could be defined in UserDN as ccldap@ts.cryptocard.com.

If using another LDAP Server the User DN may be more complicated, for example: uid=ccldap, ou=Users, dc=ts, dc=cryptocard, dc=com

• Base DN:

Specifies the top level of the LDAP Server. • Append Base DN

This will add the Base DN to the information defined in User DN.

Example: If I specified a User DN of uid=ccldap and selected Append Base DN the following would be submitted to the LDAP Server when connecting

uid=ccldap, dc=ts, dc=cryptocard, dc=com • Password

(19)

Sync Agent Configuration Tool 19 Allows for manually editing the location where

users can be found.

LDAP Sync Group(s)

LDAP groups may be selected from Available Groups and placed into Synchronized Group(s). If the group is not visible, enter the name of the group in the Available Groups field.

Synchronization will not take place if Synchronized Group(s) contains no groups.

(20)

Sync Agent Configuration Tool 20

LDAP Schema Configuration

The schema management dialog allows for the creation of a custom schema. This can be used to view LDAP objects which are not visible by default within the LDAP Synchronization agent.

Other Synchronization Options

Mobile Number Country Code

COUNTRY CODE TO PREPEND

The agent automatically strips all non-numeric characters from the data in the “Cell Number” mapping (refer to point 7 above). In addition, if a numeric value is entered into this field, the agent will prepend this value to the “Cell Number” mapping under the following conditions:

• If the Cell Number has 00 as the leading digits, the agent will remove the leading 00. Example: 0041-77889991111 becomes 4177889991111

• If the Cell Number has 0 as the leading digit, the agent will strip the 0 and prepend the country code. Example using 31 as prepend country code: 0778-89991111 becomes 3177889991111

• If the Cell Number leading digit is 1 through 9, the agent will prepend the country code. Example using 31 as prepend country code: 778-89991111 becomes 3177889991111

LDAP Scan Interval

This value determines how frequently the agent will scan LDAP for changes. Only if changes are detected will the agent synchronize with the authentication server. The default value is 20 minutes.

SafeNet Authentication Service Synchronization Server

(21)

Sync Agent Configuration Tool 21

Re-initialize Source

Clears the local persistent user and group cache used by the LDAP Synchronization agent (this does not affect users and groups on SafeNet Authentication Service). The next scheduled scan will create a new set of cached data.

Notification Tab

The Notification tab deals primarily with SMTP Server configuration and alert messages.

SMTP Configuration

• Configure SMTP Settings

Enter a from Email address, the Hostname/IP address of the SMTP server, port number. If required, the user name and password credentials to log onto the SMTP server may be entered.

E-Mail Test

• Enter Email Address

(22)

Sync Agent Configuration Tool 22

E-Mail Message Templates

The agent can send notification if it is unable to connect to LDAP or connect to SafeNet Authentication Service.

Event Recipient Lists

• List Name

Display name for the event. • Recipient E-Mail

Enter a valid email address then select Add. • Recipient E-Mail List

Displays a list of all email addresses to notify. • Events

References

Download now ( PDF - 22 Page - 1.13 MB )

Related documents

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

For redundancy a cluster can be created by installing Okta LDAP Agents on multiple Windows Servers; the Okta service registers each Okta LDAP Agent and then distributes

Configuration Guide. SafeNet Authentication Service. Token Validator Proxy Agent

To view the Token Validator Proxy Configuration Notes, from the Windows Desktop, select Start > More Programs > SafeNet >SafeNet Authentication Service > Token

Configuration Guide. SafeNet Authentication Service AD FS Agent

Via policy, AD FS in Windows Server 2012 R2 introduces a new rule set called “additional authentication rules” that are used for triggering multi factor authentication.. As with

Nexio Insight LDAP Synchronization Service

To configure the LDAP authentication in Insight Server, perform the following steps:. Locate C:\ImagineComm\Insight\app\services\www\dam3\web.config and open it

Avaya Aura System Manager 6.2 LDAP Directory Synchronization Whitepaper

Datasource mapping does not support synchronization of new user from System Manager to LDAP Directory Server.. New user is not created in LDAP

Arc Premium LDAP Synchronization

If in the Rules tab the user has created rules to import contacts into the Internal directory and the BLF, then in the Rules Directory Group tab the user must also add

CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad , INDIA

Integrate with Select LDAP as authentication server If the user does not exist in Cyberoam but is already in LDAP, Cyberoam automatically adds users into the default group on

Configuration Guide. SafeNet Authentication Service. Remote Logging Agent

The SafeNet Authentication Service Remote Logging Agent sends the information displayed in the SafeNet Authentication Service Manager Snapshot window together with operator